Posts

Customize AD FS Login Screen – Illustration

To update the left-hand illustration on your AD FS login screen, open PowerShell as administrator on the AD FS server, and type the command:

set-adfswebtheme -targetname <your theme name> -illustration @{path=”<path to the  image>”}

The theme name that is delivered with the AD FS configuration is “default”, but you have the option of creating and customizing your own themes.

 

Customize AD FS Login Screen – Create Custom Theme

The theme name that is delivered with the AD FS configuration is “default”, but you have the option of creating and customizing your own themes. To create a custom theme, open PowerShell as administrator on the AD FS server, and type the command:

new-adfswebtheme -name <your theme name> -sourcename <the theme to copy>

For your first theme, you will probably want to use “default” as the source.

To activate your theme, type command:

set-adfswebconfig -activatethemename <your theme name>

 

 

 

 

Customize AD FS Login Screen – Company Logo

To update the company logo on your AD FS login screen, open PowerShell as administrator on the AD FS server, and type the command:

set-adfswebtheme -targetname <your theme name> -logo @{path=”<path to the  image”}

The theme name that is delivered with the AD FS configuration is “default”, but you have the option of creating and customizing your own themes.

 

Thick Client Identity

When AD FS is configured for Lawson, there is also a “Thick Client” installed, which allows users to connect to client tools such as Microsoft Add-ins or Lawson Security Administrator. For users to be able to log into these tools, they must have a thick client identity set up in Lawson Security.  The thick client value will be the same as the ssop value.  Password isn’t used, so it can be set to anything.

AD FS Configuration Errors – gMSA/Insufficient Privileges

If you are configuring AD FS, it is important to remember that you must have at least one domain controller hosted on Windows Server 2012 (at a minimum).  If your infrastructure does not meet these requirements, you will receive the below errors during the AD FS configuration.  Update those domain controllers!

 

Upload Users to IFS

After your AD FS configuration, you will need to load users into IFS from LDAP. There is an option to search for each user and add them manually, but if you have a large group of Lawson users this can be time consuming. IFS also offers a mass upload using a CSV file. The CSV file needs to have a header, and the only value required is the samAccountName.

Create your CSV file, then go into Manage > Users in IFS. Click “Upload” and browse to your CSV file. Click Open and the users will be added into IFS.

Using IPA to Update SSOP Identity after AD FS Configuration

Once your AD FS configuration is done, you’ll need to update the SSOP identity with userPrincipalName for all of your users in Lawson Security.  IPA is a great tool for this task.

Some nodes that you’ll need include:

  • System Command – get AD users
    • Run a powershell command to get the samAccountName and userPrincipalName from Active Directory
    • powershell “Get-ADUser -Filter * -SearchBase ‘<OU Path (i.e. OU=Users,DC=company,DC=org)>’ | Select-object SamAccountName,UserPrincipalName | ConvertTo-Csv -NoTypeInformation”
  • Data Iterator to iterate through the results from the AD query
  • Resource Query
    • Get User by querying on SSOP value
    • <?xml version=”1.0″ encoding=”UTF-8″ standalone=”yes”?><TRANSACTION user=”user@company.org” method=”getRMQuery”><SERVICE><![CDATA[SSOP]]></SERVICE><SERVICEATTRS><SERVICEATTR><NAME><![CDATA[USER]]></NAME><VALUE><![CDATA[<!samAccountName>]]></VALUE></SERVICEATTR></SERVICEATTRS><OBJECT><![CDATA[People]]></OBJECT><ATTRIBUTES><ATTRIBUTE><![CDATA[ID]]></ATTRIBUTE></ATTRIBUTES><OUTPUTSERVICEATTRS/></TRANSACTION>
  • Resource Update
    • Using the ID from your Resource Query, Update the SSOP service

Troubleshoot NoClassDefFoundError (bouncycastle.x509)

After configuring LSF for AD FS, we encountered a 500 error after a login smoke test. The error was begin logged in SystemOut.log for our AppServer. The error message was:

[4/30/19 14:31:41:287 PDT] 000000e9 ServletWrappe E com.ibm.ws.webcontainer.servlet.ServletWrapper service Uncaught service() exception thrown by servlet SSOServlet: java.lang.NoClassDefFoundError: org.bouncycastle.x509.extension.SubjectKeyIdentifierStructure

To troubleshoot this, we first regenerated and reloaded the ADFS Certificate to the LSF IdP Certificate in ssoconfig. This did not resolve the issue, so then we checked the java policy files. It turns out that the policy files were out-of-date. You need to update the policy files in JAVA_HOME and WebSphere. First, download the latest policy files from Oracle and IBM, and the BouncyCastle policy file from the BouncyCastle website.

To determine the directories which need the replacement files, first open a command line as administrator and type “where java”. This will show you where your main install of java is located. Go to this directory, then jre/lib/security and replace local_policy.jar and US_export_policy.jar. The BouncyCastle jar file will be located at jre/lib/ext. Matching files must also be stored in your WebSphere java home. To figure out where this directory structure will be, open SystemOut.log and scan for the last time the AppServer was started.  “Java Home” will be displayed there. The directory structure will be the same as your main java install.

Remember to backup/rename your old policy files and copy the new ones to these directories. You’ll have to stop your WebSphere services and kill all java processes before you can do this.